CN103763100A - Sum and product computing method for protecting data privacy security of arbitrary user group - Google Patents

Abstract

The invention relates to a sum and product computing method for protecting data privacy security of an arbitrary user group. The computing method comprises the following steps of system initialization, user private key generation, secret key generation, sum encryption, product encryption, sum decryption, and product decryption. To be specific, according to the system initialization, a security parameter is specified; and a corresponding integer group and a system public key are generated by the security parameter. According to the user private key generation, participants in the user group compute private keys independently and respectively, so that the product of the private keys is equal to one after modulus operation. According to the secret key generation, a sum secret key and a product secret key for encryption data are generated for the participants based on combination of the system public key and the user private keys. According to the sum encryption, during the sum computing, the participants utilize the obtained secret keys to carry out encryption on the sum computing and send obtained sum ciphertexts to other participants in the user group. According to the product encryption, during product computing, the participants utilize the obtained secret keys to carry out encryption on the product computing and send obtained product ciphertexts to other participants in the user group. According to the sum decryption, the participants in the user group combine the received ciphertexts to obtain a final sum. And according to the product decryption, the participants in the user group combine received ciphertexts to obtain a final product.

Description

Protect any customer group data-privacy safety and with long-pending computational methods

Technical field

The present invention relates to Secure computing technique field, be specifically related to any customer group data-privacy of a kind of protection based on polynomial interopolation algorithm safety and with long-pending computational methods.

Background technology

Arbitrarily user's and there is using value very widely with long-pending safety compute.Along with the development of network technology, personal data are often used in the calculating of statistical information or the application based on data mining.Such as the electric weight in intelligent grid is dispatched the power information of utilizing each family; Data mining in social networks involves personal information; The personal information providing based on public users is provided in service in mass-rent (Crowd Sourcing) application.But user's data have sensitiveness, user's openly data of oneself of being unwilling, the calculating needing in therefore need to completing application under the condition that does not expose individual data.The calculating needing in most of this type of application can both with multiple and, long-pending calculating (for example: linear regression analysis realize, support vector classification, variance is calculated, mean value calculation etc.), and and with long-pending each variable participant from mutual mistrust, i.e. each party's openly private data of oneself of being all unwilling.

Along with market demands, existing a large amount of having researched and proposed for the solution of polynomial computation in many ways in applied cryptography field.These methods often lay particular emphasis on theoretic secret protection, and do not consider the environment of practical application scene thereby lack practicality.In the environment of practical application scene, the customer group that participates in calculating often dynamically changes, and therefore can not fix some customer groups; The user who participates in calculating may be thousands of, and the computing capability of individual calculus platform and storage capacity limited, computation complexity and communication complexity can not be too large; A lot of application are higher to the requirement of result of calculation, therefore can not utilize approximation to replace final calculation result; Trusted third party or trusted party are difficult to exist under practical application scene, therefore calculate and can not rely on these objects.After these environmental factors are taken into account, most methods of the prior art (for example Secure calculates, the result of study in homomorphic cryptography algorithm and other same domains) all cannot be applied in actual life.Especially in the environment without trusted channel, need to draw that, in the algorithm of correct result, correlation technique up to now all needs the user of each combination to generate a group key, cause each user need to preserve individual 2 ⁿkey, space complexity is too high.Therefore, need a kind of method gearing to actual circumstances calculate safely data that multi-user provides and with long-pending.

Summary of the invention

(1) technical problem that will solve

The object of the present invention is to provide any customer group data-privacy of a kind of flexible, quick and safe protection safety and with long-pending computational methods; Make the private data that jointly calculates them that the participant of combination in any can both be quick and safe and with long-pending, and guarantee suitable space complexity.

(2) technical scheme

Technical solution of the present invention is as follows:

Any customer group data-privacy of protection safety based on polynomial interopolation algorithm and with long-pending computational methods, comprise step:

S1. system initialization: specify security parameter κ, generate corresponding group of integers and system PKI according to described security parameter κ;

S2. generate private key for user: in customer group, participant calculates private key independently of one another, make the product of these private keys after modulo operation, be equivalent to one;

S3. key generates: in conjunction with described system PKI and private key for user be participant generate for enciphered data with key and long-pending key;

S4. and encrypt: with calculate time, participant utilizes the key obtaining to being encrypted with calculating, and handle obtain issue other participants in customer group with ciphertext;

S5. long-pending encryption: when long-pending calculating, participant utilizes the key obtaining to be encrypted long-pending calculating, and the long-pending ciphertext obtaining is issued to other participants in customer group;

S6. and deciphering: the participant in customer group by the ciphertext combination of receiving obtain final and;

S7. long-pending deciphering: the participant in customer group obtains final amassing by the ciphertext combination of receiving.

Preferably, described step S1 comprises:

S11. after specifying security parameter κ, generate the prime number p that length is κ;

S12. select at random

?

in find one and p ²(p-1) ²relatively prime random number

S13. public address system PKI <p, g, g ₁>.

Preferably, described step S2 comprises:

S21. in customer group, participant i chooses independently at random arbitrarily

S22. described participant i will send to participant i-1 and participant i+1;

S23. described participant i calculates the private key of following parameter as oneself

And,

Preferably, all participants' quantity is n, in described step S22:

When i=1, participant i-1 is participant n;

When i=n, participant i+1 is participant 1.

Preferably, described step S3 comprises:

S31. participant i independent random is chosen the secret parameter of following random number as oneself:

$\{r_{i,1}^{\left(n_{\min }\right)},r_{i,1}^{(n_{\min }+1)},\&CenterDot;\&CenterDot;\&CenterDot;,r_{i,1}^n\}$

$\{r_{i,2}^{\left(n_{\min }\right)},r_{i,2}^{(n_{\min }+1)},\&CenterDot;\&CenterDot;\&CenterDot;,r_{i,2}^n\};$

…

$\{r_{i,k-1}^{\left(n_{\min }\right)},r_{i,k-1}^{(n_{\min }+1)},\&CenterDot;\&CenterDot;\&CenterDot;,r_{i,k-1}^n\}$

Wherein, n _minbe participate in and, long-pending minimum number requirement of calculating;

S32. the following key algorithm of the common participation of described participant i and other any participant j:

The secret multinomial of participant j local computing oneself:

${\mathrm{poly}}_j^{(k-1)}\left(i\right)={\mathrm{ir}}_{j,1}^{\left(k\right)}+\&CenterDot;\&CenterDot;\&CenterDot;+i^{k-1}{r}_{j,k-1}^{\left(k\right)}\left(\mathrm{mod}p(p-1)\right);$

Calculate open parameter:

Participant j issues described participant i by the open parameter calculating;

S33. the following parameter of described participant i local computing:

${=(1+p(p-1))}^{\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{\mathrm{poly}}_j^{(k-1)}\left(i\right)}\left(\mathrm{mod}{p}^2{(p-1)}^2\right)$

And calculate following multinomial:

${\mathrm{poly}}^{(k-1)}\left(i\right)=\frac{x_i^{\left(k\right)}-1\left(\mathrm{mod}{p}^2{(p-1)}^2\right)}{p(p-1)}\left(\mathrm{mod}p(p-1)\right)$

$=\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{\mathrm{poly}}_j^{(k-1)}\left(i\right)\left(\mathrm{mod}p(p-1)\right)$

$=i\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{r}_{j,1}^{\left(k\right)}+\&CenterDot;\&CenterDot;\&CenterDot;+i^{k-1}\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{r}_{j,k-1}^{\left(k\right)}\left(\mathrm{mod}p(p-1)\right)$

Wherein, formula model above

be that a removes the integer quotient that b obtains and uses p delivery again, rather than a is multiplied by b at integer field

in contrary, at formula

$\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{x}_i=\frac{x_i^{\left(k\right)}-1\mathrm{mod}{p}^2{(p-1)}^2}{p(p-1)}\mathrm{mod}p(p-1)$

Middle a representative $\frac{x_i^{\left(k\right)}-1\mathrm{mod}{p}^2{(p-1)}^2}{p(p-1)}\frac{x-1\mathrm{mod}{p}^2}{p}$ Middle molecule " $x_i^{\left(k\right)}-1\mathrm{mod}{p}^2{(p-1)}^{2}x-1\mathrm{mod}{p}^2$ ", b representative $\frac{x_i^{\left(k\right)}-1\mathrm{mod}{p}^2{(p-1)}^2}{p(p-1)}\frac{x-1\mathrm{mod}{p}^2}{p}$ " p (p-1) p " of middle denominator.

S34. described participant i obtains key parameter

S35. to all k=n _min..., n, repeatedly described step S32-S34; Described participant i obtains encryption key ${\mathrm{EK}}_i(R_i^{\left(n_{\min }\right)},R_i^{(n_{\min }+1)},\&CenterDot;\&CenterDot;\&CenterDot;,R_i^{\left(n\right)}).$

Preferably, described n _minminimum is 3.

Preferably, described step S4 comprises:

Carrying out and calculating

time, all participants calculate x _iand ciphertext:

And the set of issuing all participant's compositions in all participants.

Preferably, described step S5 comprises:

Carrying out and calculating

time, all participants calculate x _ilong-pending ciphertext:

And the set of issuing all participant's compositions

in all participants.

Preferably, described step S6 comprises:

That all participants send according to other participants that receive and cryptogram computation:

Preferably, described step S7 comprises:

The long-pending cryptogram computation that all participants send according to other participants that receive:

(3) beneficial effect

Any customer group data-privacy of the protection safety that the embodiment of the present invention provides and with long-pending computational methods, provide calculate the data of any customer group and with long-pending method, can allow the participant of combination in any calculate safely their private data and with long-pending; And all data are used encryption keys, guaranteed the privacy of data; Meanwhile, key generates does not need safe communication channel, and eavesdropping is attacked and had robustness; In addition, method of the present invention does not rely on trusted third party, adopts acentric Distributed Calculation completely; Finally, the simple encryption of method use of the present invention, calculating consumes very little with the consumption of communicating by letter, and can on the limited platform of computational resource, realize.

Accompanying drawing explanation

Fig. 1 be any customer group data-privacy of the protection in embodiment of the present invention safety and with the schematic flow sheet of long-pending computational methods.

Embodiment

Below in conjunction with drawings and Examples, the specific embodiment of the present invention is described further.Following examples are only for the present invention is described, but are not used for limiting the scope of the invention.

As shown in fig. 1, any customer group data-privacy of the protection based on the polynomial interopolation algorithm safety providing in the present embodiment and mainly comprise step with long-pending computational methods:

S1. system initialization: specify security parameter κ, generate corresponding group of integers and system PKI according to described security parameter κ;

S2. generate private key for user: in customer group, participant calculates private key independently of one another, make the product of these private keys after modulo operation, be equivalent to one;

S3. key generates: in conjunction with described system PKI and private key for user be participant generate for enciphered data with key and long-pending key, and key for and encrypt, long-pending key is encrypted for long-pending;

S4. and encrypt: with calculate time, participant utilizes the key obtaining to being encrypted with calculating, and handle obtain issue other participants in customer group with ciphertext;

S5. long-pending encryption: when long-pending calculating, participant utilizes the key obtaining to be encrypted long-pending calculating, and the long-pending ciphertext obtaining is issued to other participants in customer group;

S6. and deciphering: the participant in customer group by the ciphertext combination of receiving obtain final and;

S7. long-pending deciphering: the participant in customer group obtains final amassing by the ciphertext combination of receiving.

Exemplary; in the present embodiment, also provide any customer group data-privacy of a kind of above-mentioned protection safety and with the specific implementation of the each step of long-pending computational methods; by utilizing the characteristic of polynomial interopolation algorithm, realize make the customer group of combination in any can complete quickly and safely following and with long-pending calculating:

Wherein x _ithe private data providing for participant i,

the set that the participant who calculates for all participations forms, only belongs to set participant can obtain result of calculation, and outside participant i, other people can not obtain about private data x _iany information.

In the present embodiment, described step S1 further comprises:

S11. after specifying security parameter κ, generate the prime number p that length is κ;

S12. select at random

?

in find one and p ²(p-1) ²relatively prime random number

S13. public address system PKI <p, g, g ₁>.

In the present embodiment, this step completes based on discrete logarithm, concrete, and this step further comprises:

S21. in customer group, participant i exists arbitrarily

in choose at random independently random number

S22. described participant i will

send to participant i-1 and participant i+1;

All participants' quantity is n, in this step:

When i=1, participant i-1 is participant n;

When i=n, participant i+1 is participant 1.

S23. described participant i calculates the private key of following parameter as oneself

And,

meet following characteristic:

Because discrete logarithm is difficult to solve in large integer field, therefore, although all communication channels are all disclosed, only have participant i to calculate

In the present embodiment, described step S3 further comprises:

S31. participant i independent random is chosen following (k-1) (n-n _min) individual random number is as oneself secret parameter:

$\{r_{i,1}^{\left(n_{\min }\right)},r_{i,1}^{(n_{\min }+1)},\&CenterDot;\&CenterDot;\&CenterDot;,r_{i,1}^n\}$

$\{r_{i,2}^{\left(n_{\min }\right)},r_{i,2}^{(n_{\min }+1)},\&CenterDot;\&CenterDot;\&CenterDot;,r_{i,2}^n\};$

…

$\{r_{i,k-1}^{\left(n_{\min }\right)},r_{i,k-1}^{(n_{\min }+1)},\&CenterDot;\&CenterDot;\&CenterDot;,r_{i,k-1}^n\}$

Wherein, n _minbe participate in and, long-pending minimum number requirement of calculating; Preferably, described n _minminimum requirement is 3; If participant's total number of persons is less than 3, the participant who participates in calculating may can guess out other participants' data.According to application actual demand, different systems can have different lowest numbers to require (for example,, in data mining or mass-rent application, in order to obtain more general result, may need to guarantee certain sample size).

S32. the following key algorithm of the common participation of described participant i and other any participant j:

Input: p, g, g ₁and

The secret multinomial of participant j local computing oneself:

${\mathrm{poly}}_j^{(k-1)}\left(i\right)={\mathrm{ir}}_{j,1}^{\left(k\right)}+\&CenterDot;\&CenterDot;\&CenterDot;+i^{k-1}{r}_{j,k-1}^{\left(k\right)}\left(\mathrm{mod}p(p-1)\right);$

Calculate open parameter:

Participant j issues described participant i by the open parameter calculating;

S33. the following parameter of described participant i local computing:

${=(1+p(p-1))}^{\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{\mathrm{poly}}_j^{(k-1)}\left(i\right)}\left(\mathrm{mod}{p}^2{(p-1)}^2\right)$

And calculate following multinomial:

${\mathrm{poly}}^{(k-1)}\left(i\right)=\frac{x_i^{\left(k\right)}-1\left(\mathrm{mod}{p}^2{(p-1)}^2\right)}{p(p-1)}\left(\mathrm{mod}p(p-1)\right)$

$=\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{\mathrm{poly}}_j^{(k-1)}\left(i\right)\left(\mathrm{mod}p(p-1)\right)$

$=i\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{r}_{j,1}^{\left(k\right)}+\&CenterDot;\&CenterDot;\&CenterDot;+i^{k-1}\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{r}_{j,k-1}^{\left(k\right)}\left(\mathrm{mod}p(p-1)\right);$

S34. described participant i obtains key parameter

S35. to all k=n _min..., n, repeatedly described step S32-S34;

S36. export the encryption key that described participant i obtains:

${\mathrm{EK}}_i(R_i^{\left(n_{\min }\right)},R_i^{(n_{\min }+1)},\&CenterDot;\&CenterDot;\&CenterDot;,R_i^{\left(n\right)}).$

In the present embodiment, described step S4 further comprises:

Carrying out and calculating time, all participants calculate x _iand ciphertext:

And the set of issuing all participant's compositions

in all participants.

In the present embodiment, described step S5 further comprises:

Carrying out and calculating time, all participants calculate x _ilong-pending ciphertext:

And the set of issuing all participant's compositions

in all participants.

In the present embodiment, described step S6 further comprises:

That all participants send according to other participants that receive and cryptogram computation:

In the present embodiment, described step S7 further comprises:

The long-pending cryptogram computation that all participants send according to other participants that receive:

Any customer group data-privacy of the protection safety providing in the present embodiment and with long-pending computational methods; originate in without center, without TTP, without the environment of trusted channel, for the user of mutual mistrust provide efficiently, flexibly and protection privacy and, long-pending computational methods.All users' key in step S2 in the method and step S3 generation system, step S4 and step S6 provide calculate any customer group data and method, step S5 and step S7 step provides the long-pending method of any customer group data of calculating.Any customer group data-privacy of the protection safety providing in the present embodiment and with long-pending computational methods method can allow random subset participant in n name participant calculate their data and with long-pending, and other people can not get other information about personal data except data owner.The method relate to an add operation of a sum of products with encryption, long-pending encryption relates to exponent arithmetic of twice sum of products, thus encrypt calculating consume very low.Need with deciphering

sub-addition computing, long-pending deciphering needs

inferior multiplying, calculating consumes also very low.And each user only need to preserve n key, has linear space complexity.

Above execution mode is only for illustrating the present invention; and be not limitation of the present invention; the those of ordinary skill in relevant technologies field; without departing from the spirit and scope of the present invention; can also make a variety of changes and modification, therefore all technical schemes that are equal to also belong to protection category of the present invention.

Claims (10)

1. Any customer group data-privacy of protection based on polynomial interopolation algorithm safety and with long-pending computational methods, it is characterized in that, comprise step:

   S1. system initialization: specify security parameter κ, generate corresponding group of integers and system PKI according to described security parameter κ;

   S2. generate private key for user: in customer group, participant calculates private key independently of one another, make the product of these private keys after modulo operation, be equivalent to one;

   S3. key generates: in conjunction with described system PKI and private key for user be participant generate for enciphered data with key and long-pending key;

   S4. and encrypt: with calculate time, participant utilizes the key obtaining to being encrypted with calculating, and handle obtain issue other participants in customer group with ciphertext;

   S5. long-pending encryption: when long-pending calculating, participant utilizes the key obtaining to be encrypted long-pending calculating, and the long-pending ciphertext obtaining is issued to other participants in customer group;

   S6. and deciphering: the participant in customer group by the ciphertext combination of receiving obtain final and;

   S7. long-pending deciphering: the participant in customer group obtains final amassing by the ciphertext combination of receiving.
2. According to claim 1 and with long-pending computational methods, it is characterized in that, described step S1 comprises:

   S11. after specifying security parameter κ, generate the prime number p that length is κ;

   S12. select at random

   

   ?

   

   in find one and p ²(p-1) ²relatively prime random number

   S13. public address system PKI <p, g, g ₁>.
3. According to claim 2 and with long-pending computational methods, it is characterized in that, described step S2 comprises:

   S21. in customer group, participant i chooses independently at random arbitrarily

   S22. described participant i will send to participant i-1 and participant i+1;

   S23. described participant i calculates the private key of following parameter as oneself

   

   

   And,

   
4. According to claim 3 and with long-pending computational methods, it is characterized in that, all participants' quantity is n, in described step S22:

   When i=1, participant i-1 is participant n;

   When i=n, participant i+1 is participant 1.
5. According to described in claim 3 or 4 and with long-pending computational methods, it is characterized in that, described step S3 comprises:

   S31. participant i independent random is chosen the secret parameter of following random number as oneself:

   $\{r_{i,1}^{\left(n_{\min }\right)},r_{i,1}^{(n_{\min }+1)},\&CenterDot;\&CenterDot;\&CenterDot;,r_{i,1}^n\}$

   $\{r_{i,2}^{\left(n_{\min }\right)},r_{i,2}^{(n_{\min }+1)},\&CenterDot;\&CenterDot;\&CenterDot;,r_{i,2}^n\};$

   …

   $\{r_{i,k-1}^{\left(n_{\min }\right)},r_{i,k-1}^{(n_{\min }+1)},\&CenterDot;\&CenterDot;\&CenterDot;,r_{i,k-1}^n\}$

   Wherein, n _minbe participate in and, long-pending minimum number requirement of calculating;

   S32. the following key algorithm of the common participation of described participant i and other any participant j:

   The secret multinomial of participant j local computing oneself:

   ${\mathrm{poly}}_j^{(k-1)}\left(i\right)={\mathrm{ir}}_{j,1}^{\left(k\right)}+\&CenterDot;\&CenterDot;\&CenterDot;+i^{k-1}{r}_{j,k-1}^{\left(k\right)}\left(\mathrm{mod}p(p-1)\right);$

   Calculate open parameter:

   

   Participant j issues described participant i by the open parameter calculating;

   S33. the following parameter of described participant i local computing:

   

   ${=(1+p(p-1))}^{\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{\mathrm{poly}}_j^{(k-1)}\left(i\right)}\left(\mathrm{mod}{p}^2{(p-1)}^2\right)$

   And calculate following multinomial:

   ${\mathrm{poly}}^{(k-1)}\left(i\right)=\frac{x_i^{\left(k\right)}-1\left(\mathrm{mod}{p}^2{(p-1)}^2\right)}{p(p-1)}\left(\mathrm{mod}p(p-1)\right)$

   $=\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{\mathrm{poly}}_j^{(k-1)}\left(i\right)\left(\mathrm{mod}p(p-1)\right)$

   $=i\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{r}_{j,1}^{\left(k\right)}+\&CenterDot;\&CenterDot;\&CenterDot;+i^{k-1}\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}{r}_{j,k-1}^{\left(k\right)}\left(\mathrm{mod}p(p-1)\right);$

   S34. described participant i obtains key parameter

   

   S35. to all k=n _min..., n, repeatedly described step S32-S34; Described participant i obtains encryption key ${\mathrm{EK}}_i(R_i^{\left(n_{\min }\right)},R_i^{(n_{\min }+1)},\&CenterDot;\&CenterDot;\&CenterDot;{,R}_i^{\left(n\right)}).$
6. According to claim 5 and with long-pending computational methods, it is characterized in that described n _minminimum is 3.
7. According to claim 5 and with long-pending computational methods, it is characterized in that, described step S4 comprises:

   Carrying out and calculating

   

   time, all participants calculate x _iand ciphertext:

   

   And the set of issuing all participant's compositions

   

   in all participants.
8. According to claim 5 and with long-pending computational methods, it is characterized in that, described step S5 comprises:

   Carrying out and calculating

   

   time, all participants calculate x _ilong-pending ciphertext:

   

   And the set of issuing all participant's compositions

   

   in all participants.
9. According to described in claim 7 or 8 and with long-pending computational methods, it is characterized in that, described step S6 comprises:

   That all participants send according to other participants that receive and cryptogram computation:

   

   
10. According to described in claim 7 or 8 and with long-pending computational methods, it is characterized in that, described step S7 comprises:

    The long-pending cryptogram computation that all participants send according to other participants that receive: